1. 33

  2. 10

    It’s also my experience that a simple “Please fill in ‘yes’ here to prove you’re not a bot”-type of questions work well for the vast majority of sites.

    I’m not so sure about some of the proposed alternatives though. Some of them seem really easy to break with OCR, and most seem problematic for users with less-than-perfect motor skills, vision, etc.

    This is also the weakest point in reCAPTCHA: the audio fallback. It would seem that accessibility and an effective Turing test are not compatible goals. I presume this is why Google also falls back to all the tracking, so there is a legitimate reason to do so. That this also aligns with other Google business interests is convenient for Google, and uncomfortable for the rest of us.

    1. 2

      This is also the weakest point in reCAPTCHA: the audio fallback.

      They’re aware of this and try to mitigate it: If you try to request the audio fallback via e.g. Tor, your request will be denied with the usual “Your computer or network may be sending automated queries. To protect our users, we can’t process your request right now. For more details visit our help page.”

    2. 5

      In some cases recaptcha is not even about proof of humanity, it is just about spam prevention. A proof of wait/patience would be enough to prevent high volume spam. Specially in cases where the user is already authenticated anyway.

      In other cases the websites have other means at their disposal and they just dont use them. My previous mobile operator uses recaptcha on their services despite having my phone number which they could use to call/sms me. This has led to absurd tech support calls where the staff at the end of the line has to wait 15min for me to solve three captchas.

      Sometimes recaptcha is even used to filter operations that have zero spam impact, like logging in. Basically outsourcing DoS prevention to Google (to some extent).

      I’m not so sure about javascript as a deterrent though. Its pretty easy to spin up a remote controlled browser these days.

      1. 4

        CAPTCHA is instant turn down for me. I basically do not use services having one. Not sure how world turned into that given there are bunch of better solutions that are not converting you to human MI trainers.

        1. 2

          I basically do not use services having one.

          You don’t always have a choice. For example to get the deposit on my rental apartment back I had to fill in three (yes, three) of them. I wasn’t happy, but it’s better than losing £1 400.

          1. 1

            Obviously, when I have a choice.

          2. 1

            Which solutions would you recommend?

            1. 1
              • Rate limiter with good settings is certainly better since you get blockage only after the fact, not before.
              • Scripts that recognize human behavior (i.e. keypress habits are pretty much unique, mouse movements etc.).
              • There are way better capcha’s also, less intrusive, time taking, error prone etc. The main problem with Google captchas is that you, as a human, fail frequently. Any serious captcha would make this very hard or impossible.

              Seriously, punish those that use captcha. I never understood concept where companies punish normal users in order to prevent unwanted behavior of marginal group of users and all because their own technical shortcomings or issues (typical in banking and gov and many software domains - look into what Steinberig did to Cubase as a greatest exmaple ).

              I think people should punish such coorp behavior by not using the services and spreading the word of treating you like a dumb feathery animal…

          3. 2

            Here is the on GitHub uses


            1. 1

              Depending on what kind of site you’re using, you’d do well with something like trust levels or karma (I know Lobsters actually has a concept of a “new users”, who cannot downvote, and established users who can).